Feb 23 2021 05:48 PM
Hello,
We turned on this rules for weeks. But all the incidents from the rule seem to benign.
The query is as follows:
SigninLogs
| where ResultType == 500121
| where Status has "MFA Denied; user declined the authentication"
| extend AccountCustomEntity = AlternateSignInName
| extend IPCustomEntity = IPAddress
| extend URLCustomEntity = ClientAppUsed
Our idea is check the previous login IP or deviceid of devicedetail.
Is there any other suggestion or comment?
Thanks a lot
Feb 28 2021 07:19 PM
Nov 17 2021 10:42 AM
Try this query:
let aadFunc = (Table:string)
{
table(Table)
| where ResultType == 500121
| where Status has "MFA Denied; user declined the authentication"
| extend Type = Type
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt